CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
50.6%
The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (//
). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2.Secure the Server Configuration:In your vite.config.js
file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: [‘private-directory’] // Restrict access to specific directories
Only users explicitly exposing the Vite dev server to the network (using --host
or server.host
config option) are affected, and only files in the immediate Vite project root folder could be exposed.
Fixed in [email protected], [email protected], [email protected], [email protected]
And in the latest minors of the previous two majors: [email protected], [email protected]
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
//
) (e.g: //.env
, //.env.local
)fs.deny
restrict successfully bypassed.Proof Images: